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In component-based development, approaches for property verification exist that avoid building the 
global system behavior of the component model. Typically, these approaches rely on the analysis of 
the local behavior of fixed sized subsystems of components. In our approach, we want to avoid not 
only the analysis of the global behavior but also of the local behaviors of the components. Instead, we 
consider very small parts of the local behaviors called port protocols that suffice to verify properties. 

1 Introduction 

Component-based development (CBD) helps to master the design complexity of software systems and 
enhances reusability. In formal CBD models, each component typically offers a set of ports for coop- 
eration with other components. Thereby, restrictions on the architecture of the system and the behavior 
of components allow to verify properties such as deadlock-freedom without exhaustively searching the 
global state space. Here, we consider the CBD model of interaction systems by Sifakis et. al. Q in 
which data and I/O operations are completely abstracted away and every single operation is called an ac- 
tion. Each component's behavior is modeled as a labeled transition system (LTS), where the set of labels 
equals the set of actions and each action is understood as a port of the associated component. The actions 
are then grouped into sets called interactions to model cooperation. Thereby, any action can only be exe- 
cuted if all other actions contained in an appropriate interaction are also executable. The global behavior 
is then derived by executing the interactions nondeterministically according to their executability. 

A drawback of the original model is that a port is considered as a single action and thus no additional 
behavior can be specified for it. Here, we extend the model of interaction systems to also capture port 
behavior. We group several actions of one component and call this group a port alphabet. Additionally, 
every port alphabet is equipped with a LTS which we call port protocol. The idea behind this approach is 
that in verification steps we use the port protocols of involved components instead of their LTSs. This is 
more efficient since the behavior of the component is typically much larger (if we compare the number of 
states and transitions) than its port protocols. The verification of properties for the whole component then 
follows from the verification step that used only the port protocols. Furthermore, this supports a gray 
box view of the components that is desired in CBD similar to the principle of information hiding . 

In Hennicker et. al. (9) and Mota et. al. ifTTl . we find similar ideas. In I0, each port provides a 
protocol which is correct w.r.t. its component, i.e., the behavior of the component restricted to the actions 
in the port alphabet (i.e., any other action becomes unobservable) is weak bisimilar to the port protocol. 
Then, a notion called "neutrality" allows to apply a reduction strategy such that properties need only to 
be verified on the reduced part of the system. Thereby, neutrality of a port q for a port p means that the 
composition of the protocols of p and q restricted to the alphabet of p is weak bisimilar to the protocol 
of p, i.e., it is sufficient to consider only p. In iPTTll . a similar idea is called "compatibility" of two ports 
and requires that all sequences of actions of one port are also possible in the other one. 

After introducing our definitions in Sec. 2, we consider in Sec. 3 an example where two ports are nei- 
ther neutral nor compatible, but our approach presented in Sec. 4 allows to verify its deadlock-freedom. 
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Note that several approaches for proving deadlock-freedom in interaction systems exist, e.g., Majster- 
Cederbaum and Martens iPTOl or Bensalem et. al. (2] in the context of BIP [1] (for which interaction 
systems are a theoretical model). Apart from the lack of a gray box view of the components, which is 
desired in CBD [4], these approaches also exploit the compositional structure of the system. In Sec. 3, 
we demonstrate how the approach of [ 10] can further benefit from the introduction of port protocols by 
means of an example system. 

The approach of Q is based on finding invariants for the components, which must be provided for 
each property, and for the interactions, which are computed automatically. Unfortunately, according to 
Bensalem et. al. (SJj f° r this computation "there is a risk of explosion, if exhaustiveness of solutions 
is necessary in the analysis process." Thus, this approach is not guaranteed to be polynomial in the 
number and size of the components respectively the port protocols which is an important property of our 
approach. However, the introduction of port protocols in BIP could be a promising extension w.r.t. a gray 
box view, if component invariants can be established from the information only available from the port 
protocols. 

2 Formalization of Protocol Interaction Systems 

A protocol interaction system is defined by a tuple Sys := (Comp, {Pj}i ( zComp,{ J ^f}ieCompApeP i J nt ^ en )- 
Here, Comp is a finite set of components, which are referred to as i G Comp. The available ports of 
a component i are given by the finite set Pi, and the mapping ports(/) := {i:p \ p G Pj} allows to refer 
to a port p of i as i:p G ports(/). The actions of each port i:p are given by the set Af, also denoted by 
port alphabet A i:p , and are assumed to be disjoint, i.e., Vi, j G Comp,p G P[,q G Pj \ i ^ j V p ^ q =^ 
Af n A q - = 0. All available actions of a component / are contained in the action set A,- := Up^^Af, and 
the union of all action sets is called the global action set Act := UieComp^;- 

A nonempty finite set a C Act of actions is called an interaction, if it contains at most one action 
of every component, i.e., \a nA,-| < 1 for all i G Comp. For any interaction a and component i we put 
i(a) := A; n a. Similarly, for a and a port i:p of i we put i:p(a) := Aj :p n a. The interaction set Int 
contains all available interactions and covers all actions, i.e., we require that {J aeInt a = Act holds. 

The behavior model Beh of Sys contains for every component / a LTS p'J := (>S,,A,{-^,}cieA, ,^') 
describing the local behavior of i where 5,- is the local state space, action set A,- contains the labels, 
{-^i\aeAi is a family of transition relations with C Si x Si, and /; C Si is the set of local initial 
states. Whenever (s,s f ) G we write s s' instead. For every port i:p of i, Beh contains a LTS 
li:pj := (5 , ! :p,A ;:/ ,U{T},{-^ (:/ ,} aGA|:;)U { T },/, :/ ,) describing the port protocol of hp. The special symbol z 
is used to model unobservable behavior, and we require T ^ Act, i.e., no component uses x as an action. 
However, the port protocols are allowed to contain T-transitions. 

A port i:p of a component i is said to be conform to the component if p':pj f, :p (Pl) where « fo 
denotes branching bisimilarity [6] and U.p(-) is a relabeling function that replaces all labels respec- 
tively transitions not contained in the port alphabet A, :p with the label T respectively with a T-transition. 
Thereby, we assume that the port protocols are minimized w.r.t. branching bisimilarity. 

Note that we use branching bisimilarity instead of weak bisimilarity, which is used in the approach 
of Hennicker et al. [9], because branching bisimilarity preserves more properties of systems (a logical 
characterization of «^ in CTL*-X exists [5]), it is more efficient to calculate ©, and, as remarked by 
van Glabbeek and Weijland [6], many systems that are weak bisimilar are also branching bisimilar. 

In the following, we fix a protocol interaction system Sys. The global behavior of Sys is a LTS 
[SyjJ := (S , Int , {-^-} ae j nt , I) where the set of global states S := YlieCompSi is given by the Cartesian 
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product of the local state spaces, which we consider to be order independent. Global states are denoted 
by tuples s := (s l ,... ,s n ) with n = \Comp\, and the set of global initial states is / := Yli E comp^i- The 
family of global transition relations {-^-}aeint is defined canonically where for any a G Int and any 
s,s' G S we have s s' if Vi G Comp: if i(a) = {a,} then s t s\ and if i(a) = then s t = s\. 

Let C C Comp be a set of components. The partial behavior of Sys with respect to C is a LTS [C] := 

(5 c ,/n/ c , {^ C }«eto c ,/ C ) where S c := riiec^, / C := ILec^f. := {a n (Ug<A) I « e M \ W» 
and {-^cjae/nrc is defined analogously to the family of global transition relations. 

Let P C U(6CompP ort s(0 be a set of ports. The port behavior of Sys with respect to P is a LTS 
[Pi := (S P , Intp U {T},{- gL ^p}aei„t P u{T},Ip) where S P := UtpepSfcp, h ■= Ui-.pephp, and Int P := {a n 
(U, :pG pA i:p ) | a G/«f}\{0}. For any aelntp and any 5,/ G 5pwehavej-^ P j'ifVi:pGP: if i:p(a) = 
{atp} then jr. s\. p and if i:p(a) = then jy = jrj . Additionally, for s,s' G Sp we have s — ^ P s' 

if 3 i:p G P: s i:p -^ tp s' i:p and Vj:o G P\{i:p} : jv, :? = s^. 

Finally, define the protocol communication graph G := of Syj" where the vertices are given by 

V := Comp U (U/gComp P°rts (/)) and the edges by £ := {{/,/: p} | i G CompAv.p G ports(i)} U {{/:/>, 7:9} | 
i,j G Comp f\i:p G ports(/) A j:g G ports (/) A 3 a G Int : i:p{a) / 0A j:q{tt) / 0}. Two ports are cow- 
nected if they are related by an edge in G. The port connectivity of a port i: /? is defined as the number of 
ports to which i:p is connected. If the port connectivity of a port is less than two, we say that the port is 
uniquely connected. If G forms a tree in the graph-theoretical sense, we say that G is tree-like. 

We call a LTS deadlock-free if all its states, which are reachable from an initial state, have at least 
one outgoing transition. 



3 Two Example Systems 

We present two examples: The first one shows that the approaches of Hennicker et. al. (9| and Mota 
et. al. [11] are not always applicable and the second how deadlock analysis in interaction systems can 
benefit from port protocols. 

The first example is the protocol interaction system Sys sx \ shown in Fig. [I] with Comp = {i,j}, 
ports(/) = {i:p}, and ports(7') = {j:q}. The interaction set is given by Int = {{ai,aj},{bi,bj},{ci,Cj}, 
{di,dj}}. Obviously, all ports are conform to their corresponding component. The example shows 
that the two connected ports are neither neutral nor compatible, since they restrict each other, i.e., in 
[[{/:/?, only the execution path "{a,-,a/} {cj,c,}" is possible which restricts either port. 




(a) Prot. comm. graph (b) Behavior and port protocol of i resp. i:p (c) Behavior and port protocol of j resp. j:q 



Figure 1: Protocol interaction system Sys ex \ with Int = {{a/, ay}, {bi,bj}, {c,-,cy}, {di,dj}} 

The second example is the protocol interaction system Sys ex 2 shown in Fig.|2]with Comp = {m, 1,2, 
. . . ,«}, ports (m) = {m:i \ i G Comp \ {m}}, and ports(/) = {i:p} for i G Comp\{m\. The interaction set 
is given by Int = {{a^a,} | i G Comp \ {m}}. Obviously, all ports are conform to their corresponding 
component. 
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(a) Protocol communication graph 
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(b) Behavior of comp. ra 
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(c) Port prot. of port m:i with 1 < i < n 

(d) Behavior and port prot. of border 
comp. i resp. port i:p with 1 < i < n 



Figure 2: Protocol interaction system Sys ex 2 with Int = {{a' m ,cii} | 1 < i < n} 



As an example for deadlock analysis, we consider the analysis of Majster-Cederbaum and Martens 
[ 10] for tree-like interaction systems. The check for deadlock-freedom of Sys eX 2 requires among other 
things that we analyze the partial behavior of all pairs of connected components, i.e., we have to carry 
out this analysis n times. Since the size of any such partial behavior is 0(n) — because in each check 
the middle component is used — the whole deadlock analysis needs 0(n 2 ). If we use the port protocols 
instead of the whole behavior in each step, each protocol behavior can be traversed in constant time. 
Thus, the total amount of work is 0(n). 

Note that the example only motivates the use of port protocols in tree-like systems and that the global 
state space of the example can be traversed in 0(n). But, with more complex behavior of the non-middle 
components the cost of this traversal increases such that a global state space analysis becomes unfeasible. 



4 Proving Deadlock-Freedom 

In order to exploit the compositional information and the information obtained by combining the port 
protocols, we need to put restrictions on the architecture, e.g., on the form of the protocol communication 
graph, and on the local behaviors, e.g., on the existence of unobservable behavior in the port protocols. 

The following theorem exploits such restrictions and allows for efficient verification of deadlock- 
freedom in interaction systems, which can be performed in time polynomial in the number and size of 
the port protocols. Note that the examples of Sec. 3 can be verified in this way. 

Theorem: Let Sys be a protocol interaction system and G its protocol communication graph. Assume 
that G is tree-like and that every port is uniquely connected and conform to its corresponding component 
and its minimal port protocol w.r.t. branching bisimilarity is T-free. If for all connected ports i:p and y.q 
of all components i,j G Comp holds that is deadlock-free then {Sys} is deadlock-free. 

The theorem exploits the idea that an unobservable step in a port protocol is only present if the 
component's future behavior can be influenced by the cooperation with its environment. If no T is present, 
the component's behavior visible through the port protocol is inevitable. Because of the structure of the 
protocol communication graph, it is then sufficient to check pairs of port protocols for deadlock- freedom, 
because due to their z- and deadlock-freedom, no cyclic waiting relation is possible. 

Proof (Sketch): We successively consider partial behaviors of connected components of increasing size in 
an induction like manner. Assume that there is a set C C Comp of components such that [C] is deadlock- 
free. Now pick a component j £ C and consider C' '■= C U { j}. Assume [C'J is not deadlock-free, 
although a component i G C and a port i: p E ports(/) exist such that i: p is connected to a port y.q G ports( j) 
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and l{i:p,j:q}} is T- and deadlock-free — which follows from the assumptions. Due to the deadlock, there 
is a reachable state sc> £ Sc that has no outgoing transition. Since the corresponding state sc £ Sc in 
the system without j is deadlock-free, there must be an action a, £ A,- and states £ Si with being 
j's local part in sc and -% ; s-. But, the corresponding interaction a with /(a) = i:p(oc) = {a;} is not 
available in s C ' anymore — due to the deadlock, i.e., there must be an aj £ A y - with j(a) = j'.q(cc) = {aj} 
that is not enabled in the local part sj of sc- Consider the partial behavior [{/,/}■] and the state (si,sj) £ 
which is reachable from an initial state in [{i, j}1 smce the deadlocked state sc is reachable in 
[C'J. Now, an equivalent state ( .s, :/ , . .s / (/ ) £ S j u/ \ with s ; - and s; is also reachable in the 

protocol behavior l{i:p, j:q}} because of the protocol conformance. But then, [C'J cannot be deadlocked 
since at least one a' £ Intu- p j :q \ — and thus a' £ Int — is enabled in (si-p,Sj :q ) because of the protocol 
behavior's deadlock-freedom, and this a' can neither be blocked by i — because i's cooperation with the 
other components in C is deadlock-free — nor by j — because the only cooperation partner of j is i — in 
[C'J because otherwise the protocol behavior [[{?:/?,,/:#}] would contain a T-transition. □ 

Currently, we are investigating weaker versions of the theorem, e.g., we conjecture that it is sufficient 
that the protocol behavior of combined port protocols is T-free instead of requiring the T-freedom of 
all port protocols, and we try to apply the port protocol approach to the verification of other generic 
properties such as progress and specific properties of a given system specified in CTL*-X. Additionally, 
the proof of the theorem shows an application for a correctness-by-construction approach. 
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